Comment by xnx
4 days ago
> some apps (e.g., banking apps) will refuse to operate and such when developer mode is on
JFC. Why would an app be allowed to know this? Just another datapoint for fingerprinting.
4 days ago
> some apps (e.g., banking apps) will refuse to operate and such when developer mode is on
JFC. Why would an app be allowed to know this? Just another datapoint for fingerprinting.
Yes, it is really dumb that some of these settings are exposed to all apps with no permission gating [0]. But it will likely always be possible to fingerprint based on enabled developer options because there are preferences which can only be enabled via the developer options UI and (arguably) need to be visible to apps.
0: https://developer.android.com/reference/android/provider/Set...
What might help better is having permissions that you can set separate settings that can be read for different apps (including the possibility to return errors instead of the actual values), even if they can be read by default you can also change them per apps. (This has other benefits as well, including possibility of some settings not working properly due to a bug, you can then work around it.)
It's always boggled my mind what native apps are allowed to know versus the same thing running in a browser on the same device.
Because estimates suggest Americans lose about $119 billion annually to financial scams, which is a not insignificant fraction of our entire military budget, or more than 5% of annual social security expenditures.
Banks do these things to check security boxes, not to prevent scams.
In this case, they don't want users to reverse-engineer their app or look at logs that might inadvertently leak information about how to reverse-engineer their app. It is pointless, I know, but some security consultant has created a checkbox which must be checked at all costs.
What do scams have to do with having developer options enabled?
This isn't a rhetorical question. There's no big red warning on the developer options screen saying it's dangerous. I haven't heard about real-world attacks leveraging developer settings. I suppose granting USB debug to an infected PC is dangerous, but if you're in that situation, you're already pwned.
Is there a real vulnerability nobody talks about?
Android is attempting to discourage good / regular users from sideloading apps, rooting their phone, etc.
Android wants good / regular users to pass things like Play Integrity with the strongest verdicts.
This helps app distributors to separate regular good users from custom clients, API scripting etc that is often used to coordinate scamming, create bots, etc. If an app developer can just toss anyone who doesn't pass Play Integrity checks in the trash, they can increase friction for malicious developers.
1 reply →
That is unrelated to apps installed outside of the playstore (which by the way is full of malware).
It is like mandating that people use rainjackets in the rain to avoid getting cancer.
So put a disclaimer in... Same way tons of other stuff works...
Nobody reads disclaimers, and people who get scammed and lose their life savings won't be made whole by being told "you accepted the disclaimer, nothing we can do."
1 reply →
[flagged]
Most of the victims were last in school in the 1960s when all this stuff didn't exist. Also from experience teaching people with dementia or memory issues is kinda challenging as they just forget.
2 replies →